Due to rising cyber-attacks and the potential to cause harm to patients, medical facilities and hospitals, the U.S. Food and Drug Administration (FDA) has recently increased scrutiny of cyber controls in FDA premarket submissions of medical devices. Manufacturers must prove that devices, including software-as-a-medical device (SaMD), do not present cybersecurity vulnerabilities that may affect the device’s safety, effectiveness or security. The FDA recently summarized the significance of the situation, stating, “Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the US and globally.”
Both Congress and the FDA recently introduced actions addressing the problem. The bipartisan PATCH Act (Protecting and Transforming Cyber Health Care) aims to strengthen healthcare infrastructure by requiring medical device manufacturers to implement improved cybersecurity measures as part of the product life cycle. Effectively, if passed, the PATCH Act would “amend the Federal Food, Drug, and Cosmetic Act to require, for purposes of ensuring cybersecurity, the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the life cycle of the cyber device.”
The PATCH Act follows a new cybersecurity draft guidance issued by the FDA’s Center for Devices and Radiological Health (CDRH). The FDA first issued a final cybersecurity guidance in 2014, and later updated it to a draft pre-market guidance in 2018 but never moved the draft to final guidance. The latest draft guidance, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (April 2022), builds upon the 2018 version, incorporating input from industry and recommendations from the Health Care Industry Cybersecurity (HCIC) Task Force Report.
In earlier cybersecurity guidance for premarket submissions, the following key elements were identified as requirements:
- Network security and threat model diagrams that identify security requirements and pinpoint security threats and potential vulnerabilities.
- Cybersecurity risk analysis to identify, manage, and safeguard information and assets while providing traceability to security testing.
- Test evidence proving cybersecurity controls were effectively implemented.
- A cybersecurity bill of materials (CBOM) that includes a list of commercial, off-the-shelf, and open-source software and hardware components included in the device.
The updated guidance advances cybersecurity from focusing on evidence of individual controls to making cybersecurity a consideration as part of the complete product life cycle. Medical device, including SaMD, manufacturers can improve their cybersecurity plans by understanding the key points of the updated draft guidance. Following is a summary of the five core principles that have been added:
- Cybersecurity is part of device safety and the quality system regulation (QSR). The quality system is now required to include development processes to address cybersecurity with the recommendation to implement a Secure Product Development Framework (SPDF) approach. A summary of the methods recommended by the FDA includes but is not limited to:
- Threat modeling to help identify threats and then define countermeasures to prevent or mitigate the effects to the system. A threat model should be applied continuously across the life cycle as more details or functionality are added to the device. Threat model documentation included in a premarket submission should demonstrate how risks are assessed and controls implemented.
- Security risk assessment, management, and controls that consider risk of the device within the context of the larger system in which it operates. Manufacturers should plan to include security risk documentation in future premarket submissions. This includes a security assessment of anomalies found in design and development that remain unresolved.
- The provision of cybersecurity testing, including security requirements, threat mitigation, vulnerability testing, and penetration testing, in future submissions.
- Design for security. The guide is explicit that the FDA will “will assess the adequacy of the device’s security based on the device’s ability to provide and implement the security objectives.” It is critical that manufacturers can present evidence to satisfy the key security objectives: authenticity, authorization, availability, confidentiality, and secure and timely updatability and patchability. The addition of these security concepts must be addressed throughout the design life cycle, from product definition to post-market, as a built-in function of the software design.
- Establish a software bill of materials (SBOM), which is an electronically readable inventory of third-party components, to enhance software supply chain security. The SBOM replaces the CBOM and provides supplementary information to help identify devices affected by vulnerabilities in the software components.
- Plan to monitor, identify, and address post-market cybersecurity vulnerabilities. The recommendations of the latest guidance are intended to supplement the FDA’s guidance Postmarket Management of Cybersecurity in Medical Devices.
- Be Transparent; disclose vulnerabilities to demonstrate safety and effectiveness of the device to the end-user. The FDA recommends relevant security information to be included on the label, which is regulated under section 502(f) of the FD&C Act.
The guidance recommends that these requirements be considered in premarket submissions. The extent of the documentation depends on the device, its functions, and the overall cybersecurity threat it presents.
For example, digital therapeutics can be particularly vulnerable to data security risks with patient health information (PHI). However, as patient-facing apps that are mostly intended for use in the home setting, digital therapeutics do not generally present the same cyber security threats as medical devices that are intended for use in the hospital or outpatient environments. Some digital therapeutics have provider-facing elements, such as web-based provider portals, that present client-side threats. However, because the portals operate within a web browser, the facility’s IT security infrastructure alleviates much of the risk.
Manufacturers of digital therapeutics and other devices with a low cybersecurity risk should still plan to account for the items included in the guidance, including updates to the quality system that satisfy the basic requirements and a determination of what additional information should be included on the device’s label. Manufacturers should also implement a threat model to understand potential threats and ensure that robust security measures are in place. Finally, if the device includes a provider portal, steps should be taken to ensure that the service can be trusted by the facility, which means, at a minimum, using a secure socket layer (SSL) certificate.
Kory is a Regulatory Affairs Associate Director with extensive experience in Software as a Medical Device and Software Development Life Cycle. Kory has 20+ years of experience in business and technology operations and 9…
Marty is an innovator at the cross-section of product development and regulatory affairs in the medical device and digital medicine sectors. In recent years, he led the effort to obtain the first ever breakthrough…